Regarding the off-topic flags, imagine the question is "How do I detect bandwidth stealers with Ubuntu?". Answers for this for different operating systems will vary considerably. Being that this was posted here, let's rock on with the Ubuntu-based solutions.
–
Oli♦Jul 22 '11 at 20:06

3

If I was using windows and an askwindows existed, I would have posted there, but as I am using ubuntu, askubuntu has to be the best place to ask such a question.
–
oshirowanenJul 22 '11 at 20:08

2 Answers
2

I've got three ideas for you. They all have their share of complexity and you can mix and match as you see fit. The first is probably the easiest, but least robust (on its own).

1. Passive MAC detection

The standard way would be to keep track of the MAC addresses that are requesting DHCP addresses from the router. Most routers provide an "Attached Devices" style screen that will tell you who's connecting.

This isn't automatic, but you could (fairly easily) script some Bash/Python to pull the router page down, parse out the MAC addresses and check them against a list of known/allowed MAC addresses.

The problem here is nothing is instant. You rely on the router to update its page and you have to poll this frequently. Some routers won't like this. I have a crappy Edimax router that crashes if you load more than 10 pages in a minute (pathetic!) so this might not work.

MAC addresses are also woefully spoofable. macchanger for example, will let you spoof your MAC address in one command. I think even Network Manager will let you do it. If somebody doesn't want to be detected, they'll monitor network traffic and spoof one of the valid (known) devices.

2. Active Sniffing

This is where we rip the wheels off and dig in. You'll need a spare wireless something-or-other in a place that can intercept traffic to/from the router (ideally quite close to it).

In short, you hook up airodump-ng and you watch people connected to your network. It should be possible to script this output so when a new device shows up and starts using your network, you can instantly do something.

This writes an auto-incrementing file that can be parsed on a regular basis. The version above write a comma-separated value file which is quite basic but if you're happy with XML (Python can make it pretty simple) you might want to look at the netxml output format for airodump.

Either way, this gives you regular information about which devices are using the network (and how much traffic they're sending too). It's still just as fallible as using the router's ARP table, but it's live.

While you're in promiscuous mode, if your script does pick up a client it thinks shouldn't be on the network, you could use tcpdump to trawl the packets and log exchanges of interest (HTTP requests, etc). It's more programming but it can be done.

3. Fingerprinting with nmap

Another method is to sweep the network for clients with nmap. Normally, you might think, this wouldn't help you too much, if somebody is blocking pings, it might not show up.

I suggest you use this in conjunction with either of the two other methods. 1 will give you the IP address so you can nmap directly. 2 won't give you an IP but it will let you know how many clients nmap should expect to find, at that exact moment in time. Make sure all your devices are pingable.

When nmap runs (eg sudo nmap -O 192.168.1.1/24) it will try to find hosts and then it will do a port-scan on them to work out what they are. Your check-list should include how each of your devices should respond to nmap.

If you want to go one further, you could run a simple server on each of your computers. Just something that accepted a connection and then dropped it. In short: Something for nmap to look for. If it finds it open, it's probably your computer.

4. Secure your network better

You should actually do this first if you're worried. Use WPA2/AES. Never use WEP (cracks in about five minutes).

If you're still worried somebody might find out the key (WPA2 takes a lot of data and computational time to crack), move to a RADIUS model. It's an authentication framework that sets up a one-time key for each user. PITA to set up though.

My suggestion, Oli's 1.

Use your own dhcpd with an event to trigger an email if necessary.

I am going to have to do some research, but if it were me, I would run my own dhcpd on a linux box connected to the router (or use openwrt), and then have it email me if there if a macaddress requests an address whats not on a whitelist.

The question asks about Wifi. Recommending to a user to not use Wifi is not useful to the situation.
–
Thomas W.Jul 22 '11 at 20:19

I like the idea of running your own dhcpd. Does complicate the network setup slightly but there you go.
–
Oli♦Jul 22 '11 at 21:27

1

Yes, slightly. But it'd only take 10 minutes to setup. Honestly, I would use openwrt instead. 'N3000' is a really a vague description of a router, but I think his will run openwrt. This way the network wouldn't 'go down' if the box with the dhcpd did.
–
user606723Jul 23 '11 at 2:52